Enteo V6.X Master Referenz Paket (Screensaver/Locked/User Fragen), Version 1.1 vom 10.10.2010

Alle Binaries sowie ein Export des Projektes von Enteo V6.2 sind unter dieser URL zu finden:

http://www.ntfaq.ch/home.aspx?seite=enteo62_Referenz_Paket_Butsch_Informatik

http://www.butsch.ch

Was macht das Paket?

Dieses universelle Referenz Paket soll zeigen wie man in einer reellen Deployment Umgebung auf das Environment und die User eingehen kann.

Bei vielen Software Deployment fehlen diese Optionen obwohl Sie an sich Grundbausteine einer Software Verteilung sind. Dieses Beispiel soll einen

Anstoss in die richtige Richtung und als Ersatz für eine ein fehlendes Beispiel von Enteo dienen. Zielpublikum:

Desktop Engineer mit mehreren Jahren Deployment Erfahrung und Basis Kenntnissen in Enteo. Enteo Quer‐Einsteiger z.B. von SMS, SCCM,

Altiris oder z.B. Highsystem. Nicht geeignet für Supporter, welchen man aus Unwissenheit die Software Verteilung mal Testweise übergibt.

Finger weg und zurück an den IT‐Chef geben und bitten, dass er das Kapitel ITIL‐Risk Management und Recovery besser durchliest;‐)

Pflichtenheft an das Master Paket: Das Paket soll folgendes erfüllen….

‐     Abfragen ob der Screensaver aktiv ist > Denn dann wollen wir nicht installieren

‐     Ermitteln ob der Client gelockt ist > Denn dann wollen wir nicht installieren

‐     Es soll Abfragen ob ein User gerade arbeitet und angemeldet ist (Ev. Geht es nur dann?)

‐     Soll wissen wie es Enteo seitig kommt (Serviceinstaller oder Autoinstaller)

‐     Soll den User Fragen ob Sie das Update wollen oder man möchte diese nur laufen lassen, wenn jemand angemeldet ist (z.B. Green‐IT‐Oeko Shop ohne WOL und mit Stromleisten!)

 Das Master Paket wird anhand eines Beispiels erklärt. In diesem Falls das Deployment von Adobe Flash 10.1.85.3 vom September 2010.

Das Paket macht eine Migration des Flash Players auf die aktuelle Version. Desktop Deployment und IT ist Migration und Wandel.

Frisch installieren kann jeder und ist einfach! Darum wird in einer Präsentation nie eine Migration von Flash Player sonder immer nur eine frische Installation gezeigt.

Im Package Folder haben wir folgende Binary Files. Alle kann man bei uns downloaden.

Dies wird z.B. hier verwendet:

Einzelne Teile des Enteo Skriptes erklärt:

Hier kontrolliere ich mit "locked.exe" ob der Client gelockt/gesperrt ist. Da wir z.B. für eine Flash/Adobe Reader Upgrade offene Apps (Internet Explorer)

zumachen müssen soll dies NICHT passieren wenn der User Weg von seinem PC ist (CTRL‐ALT‐DEL gemacht).

Mit dem Enteo Befehl ExitPROCEX; "UNDONE" verlassen wir das Script. Das "UNDONE" sieht man dann z.B. bei den Policies in der Enteo Konsole.

Der Vorgang wiederholt sich einfach beim nächsten Enteo Intervall oder Start der Maschine spätestens wieder.

Microsoft W10 Update to 1909 failed because the pre Check found the certain DLL somewhere under the c:\drivers or C:\SWSETUP olders. (APP/Software or driver was not installed, Update block by JUST finding the Certain DLL somewhere on certain paths used by certain Producer/OEM.

Often used paths for drivers and where W10 Update tried to find add. Info about a system and what was installed (Beside Software, Registry and Windows-Installer Cache/DB).

• HP > C:\SWSETUP\
• DELL > c:\DRIVERS\
• Our deployment solution > c:\DRIVERS\

We just had a case where we update W10 1709 to 1909 through a Deployment solution. Updates of HP Laptop failed.

If we installed the Update manual we did see that the "Infineon TPM Professional Package" was blocking. But the software was not installed.

Reason for W10 Update failing:

At that customer we use c:\drivers\ for our deployment structure on HP (Like Dell does > By the way don't use c:\drivers for your own packages/batch on DELL systems it will break some DELL batches).

Under that structure we have a library of certain most used HP Service Packs. There was one which included an Infineon TPM driver. Just by searching through those files

Microsoft thinks the drivers IS installed a Blocks the update. The driver was not installed on the system.

Solution:

Just delete those Directory and files if you don't reference them and they are not used MSI-Source files on the system you handle the update. On HP systems you can even rename the folder like from C:\SWSETUP\ to C:\_SWSETUP\ and it will work.

Where we found that info:

We silent deploy the 1909 there will following command line which gives us detailed Debug Log Info:

c:\drivers\setup\CUSTOMER_W10_1909\setup.exe /auto upgrade /copylogs \\SERVER\w10_1909$\CLIENTS_DEBUG\%computername% /DiagnosticPrompt enable /Priority Normal /postoobe c:\drivers\setup\CUSTOMER_W10_1909\CUSTOMER_W10_ENDE_OK.cmd /postrollback c:\drivers\setup\CUSTOMER_W10_1909\CUSTOMER_W10_ROLLBACK.cmd /Quiet /ShowOOBE none /telemetry disable /compat IgnoreWarning /DynamicUpdate disable /migratedrivers all

In these Logfiles then you will find the reason why he did not upgrade. You will also see why if you skip the OPTIONS: /Quiet /ShowOOBE none

search over all log files for "StatusDetail="UpgradeBlock"

It will be found in the logfile Compatdata*.xml

Here is the info regarding the Block within the XML File:

<Program IconId="ifxspmgt.exe_f069054697b0a0ae" Id="0006c5c9b5d907dd9c81f4d74bb61beb7e3900000904" Name="Infineon TPM Professional Package">

<CompatibilityInfo BlockingType="Hard" StatusDetail="UpgradeBlock"/>

<Action Name="ManualUninstall" ResolveState="NotRun" DisplayStyle="Text"/>

</Program></Programs>

The where the files that Windows 10 Update found BUT where not installed on the system.

Just delete the files if unused and the update will do it what it should.

Fortigate Application Filter Certificate wrong/missing Entry sample for an important laptop driver (W10 Deployment fails because of signed Driver Revocation Lookup)

OR HOW a missing small ENTRY I a FORTIGATE FIREWALL IPS/APP filter can ruin your Windows 10 OS-Deployment work.

Reason: Missing entry in Fortigate Application Filter "ROOT.CERTIFICATE.URL" and "OCSP" source of failing deployment

Windows 10 Deployment with commercial Deployment Products (This includes HP client hardware, Microsoft SCCM, Landesk or Ivanti Frontrange).

During the Unattend phase the driver for MASS storage or NIC does a Certificate Revocation Lookup. However the as sample mentioned

URL pki.infineon.com (Hardware Driver URL, CRL FQDN) is missing in Fortiguard definitions. Thus the Fortigate does block the access to WAN. Since this is an early setup phase of W10, group Policy or special GPO do not pull at that moment.

Fortigate has already missed several PKI URL the last few months confirmed by ticket resulting in large trouble and delay on client and Server OS of customers who route their Client or Server traffic through Web proxy and because of security do not want to route computer account proxy traffic standard to the proxy.

Why this is so important. Why this is generating a lot of work and trouble for OS-Deployment teams.

The normal way in larger companies is that all outgoing traffic from client VLAN goes to Firewall which it blocks. All Web/Application/Socks traffic that should go outside goes to a Proxy, Web filter.

Because in early phase of Deployment those options are not set already and normally not needed. However if the driver is older than the Expiration of the Code Signing Certificate W7/W10 will check

The Certificate Revocation list from WAN/Internet. If that fails it may refuse to integrate the driver in Windows PE or early Windows Setup phase. If example this is a driver which

handels NIC (network) or mass Storage driver (Disk) they deployment can't run through this early process.

Workaround:

URL we need open in our sample: pki.infineon.com which prevents a complete Enterprise Deployment system to fail

Sample from Fortigate for other Certs they missed:

F-SBID( --name "Root.Certificate.URL_Custom"; --protocol tcp; --app_cat 17; --service HTTP; --flow from_client; --pcre "/(crl\.microsoft\.com|\.omniroot\.com|\.verisign\.com|\.symcb\.com|\.symcd\.com|\.verisign\.ne t|\.geotrust\.com|\.entrust\.net|\.public- trust\.com|\.globalsign\.|\.digicert\.com|crl\.startcom\.|crl\.cnnic\.cn|crl\.identrust\.com|crl\.thaw te\.com|crlsl\.wosign\.com|www\.d\-trust\.net)/"; --context host; --weight 15; )

In our case:

F-SBID( --name "Root.Certificate.pki.infineon.com"; --protocol tcp; --app_cat 17; --service HTTP; -- flow from_client; --pcre "/(pki\.infineon\.com)/"; --context host; --weight 15; )

Please also see:

Butsch.ch | The certificate is invalid for exchange server usage Exchange 2010 SAN/UC

https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC

So you understand that this is a problem which persists over all firewall producers:

https://support.symantec.com/en_US/article.HOWTO9584.html

Symantec: About the Install Readiness Check for Certificate Revocation List access

https://success.trendmicro.com/solution/1058226

TEND MICRO: After upgrading OfficeScan, users complained that the server started to rename all files in the OfficeClient Directory to "_invalid".
Below is a sample list of files in the D:\app\Trend Micro\OfficeScan\PCCSRV\Admin directory:

Checkpoint:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

If there is no Internet connection, then CRL fetch and intermediate CA fetch will fail (this will be logged). The inspection will take place; however, URL-based or Category-based bypassing will not work.

Note: The CRL verifications are performed in the background asynchronously while matching the security policy (this mimics the behavior of the major web browsers).

Untrusted certificates and lack of CRLs can be configured as reasons to drop the connection

Mcafee:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25504/en_US/epo_530_pg_0-00_en-us.pdf

Internet Explorer, Group Policy, Gruppenrichtlinien, IE11 GPO Settings, PROXY Explained F5-F8

1. IE11 has to be installed so you see the IE10 Option
2. There is not IE11 Option > That's ok > Choose IE10 it will work fir IE11
3. You are on a SRV 2012 R2 or W8 to see this option or W7 with installed updated
4. You did try it always fails or you get too MUCH Gpo settings from the GUI Mode.

    

This is what we talk about and seems to make confusions. People set if with it and at the end did with HKCU keys.

You can configure the options with F5, F6, F7 and F8 keys from the GUI. Only choose the options you want to change.

ALL RED > Will not be touched (Like GPO Settings DEFAULT)

ALL GREEN > Will be touched or changed (Like GPO setting ENABLE/DISABLE) depending on the GUI if you have a checkbox selected or not.

GREEN = Stuff you want to change

RED = LEAVE IT at it is

Some sample settings

If you go back one step on the GPO Console and do an F5 / Refresh

You should only see the option which you marked GREEN with F7 or F8

Lets make a sample (That i don't want touched)

See forgot two things and not clear how to select under security

Back in GPO Console one step, Update F5, Refresh

The above mentioned is RED THUS Gone / Not touched

We recommend to enable a check if you DO Registry KEYS or such Settings with GPO and not deployment.

Make sure you have a WMI Filter to also capture IE11

Check out I11 LINKS:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

http://www.butsch.ch/post/IE11-Umsetzen-Unternehmensmodus-Enterprise-Mode.aspx

Intel(R) Ethernet Connection I217-LM Deployment problems

HP Zbook, Probook 650G1 (See below for full range info)

OS Deployment problems with Intel NIC i217-V (I217V) under Windows 7 64BIT and different Deployment Software Like Frontrange-Enteo, SCCM, Symantec and also with Windows Deployment.

Main problem is that the Windows PE 3.X that most Deployment solutions use accepts a less DEVICEID (A shorter). Also the NIC somehow seems to have timing problems and just behaves different than others during unattended setup.

Your Windows PE will work with any driver DeviceID:

PCI\VEN_8086&DEV_153B

But the Windows 7 Setup that your Deployment does need is more specific driver and checks behind that base DeviceID:

PCI\VEN_8086&DEV_153B&SUBSYS_00008086 (Sample)

06.09.2013, 12.8.33.9427 < GEHT NICHT
06.06.2014, 12.11.77.2 < GEHT NICHT
31.07.2014, 12.12.50.7205 (REV: A PASS: 4) < GEHT von HP Carepaq, sp68420

Check! VERSION: 12.12.50.7205 REV: A PASS: 4

ftp://ftp.hp.com/pub/softpaq/sp68001-68500/sp68420.html

Screenshot shows Driver 12.8.33 from original HP factory setup W7 64BIT which DOES not work for Deployment.

The HP Factory NIC Setup shows following Device-ID (W7 64BIT) which does not work for deployment

Errors your will see in c:\windows\panther with wrong driver (No NIC in OS phase / Not Windows PE)

You need the INF file with the three DeviceID:

%E153BNC.DeviceDesc% = E153B.6.1.1, PCI\VEN_8086&DEV_153B

%E153BNC.DeviceDesc% = E153B.6.1.1, PCI\VEN_8086&DEV_153B&SUBSYS_00008086

%E153BNC.DeviceDesc% = E153B.6.1.1, PCI\VEN_8086&DEV_153B&SUBSYS_00011179

Links:

http://www.symantec.com/connect/forums/ghost-loop

https://downloadcenter.intel.com/search?keyword=Intel%28R%29+Ethernet+Connection+I217-V

http://serverfault.com/questions/649507/mdt-deployment-issue-driver-not-loading-i217-lm-on-mdt

https://communities.intel.com/thread/43218

http://forum.enteo.com/showthread.php?t=15396&page=2

ftp://ftp.hp.com/pub/softpaq/sp68001-68500/sp68420.html

Internet Explorer 11 Setup with IEAK11 for Deployment

We have seen several posting on Social MSDN but also deployment blogs with people struggling with the IEAK Setup of IE11 or better the 9 PRE patches the IE setup 10/11 needs.

Technet http://support.microsoft.com/kb/2847882 describes the Updates that have to be installed before you can Install IE11 silent.

Error Source 1, Setup tries to fetch updates in the back and fails because of Proxy

If these are not on the machine the Setup will try to fetch them from internet. Because the "Computer account" (Not the user) mostly has no PROXY information this will fail. I will not show you how you change that here; Target would be to have all files ready from deployment.

Error Source 2, Reboot OR WMI Update for Patches after installing PRE Patches

If you install the 9 patches with a batch or script you should:

a) Reboot the client which makes it a Reboot and advance package which some deployment can't handle

b) Solution > Rebuild the Patch Inventory by "c:\windows\system32\wbem\wmic.exe qfe" (Does not work on 19.03.2015)

The IEAK 11 Version from March 2015 does actualy check the Version of the files AS they are in place. So no Patches are checked to decide if add. Updates are downloaded. Thus the Reboot may be needed IF in use FIles are present.

> THUS only working solution would be on march 2015 to do a 3 STEP package

1) Install PRE Deployment Patches (Reboot)

2) Install IEAK (Reboot)

3) Install Post Deployment Patches (may need Reboot)

00:01.841: INFO:    Version Check for (KB2834140) of C:\Windows\System32\d3d11.dll: 6.1.7601.17514 >= 6.2.9200.16570 (False)
00:01.841: WARNING: Checking version for C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll.  The file does not exist.
00:01.841: INFO:    Version Check for (KB2639308) of C:\Windows\System32\Ntoskrnl.exe: 6.1.7601.17803 >= 6.1.7601.17727 (True)
00:01.841: INFO:    Version Check for (KB2533623) of C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll: 6.1.7600.16385 >= 6.1.7601.17617 (False)
00:01.841: INFO:    Version Check for (KB2731771) of C:\Windows\System32\conhost.exe: 6.1.7601.17514 >= 6.1.7601.17888 (False)
00:01.841: INFO:    Checking for correct version of C:\Windows\Fonts\segoeui.ttf.
00:01.856: INFO:    Version Check for (KB2786081) of C:\Windows\System32\taskhost.exe: 6.1.7601.17514 >= 6.1.7601.18010 (False)
00:01.856: INFO:    Version Check for (KB2888049) of C:\Windows\System32\drivers\tcpip.sys: 6.1.7601.17514 >= 6.1.7601.18254 (False)
00:01.856: INFO:    Version Check for (KB2882822) of C:\Windows\System32\tdh.dll: 6.1.7600.16385 >= 6.1.7601.18247 (False)
00:02.621: INFO:    Download for KB2834140 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=303935 -> KB2834140_amd64.MSU.
00:02.636: INFO:    Download for KB2533623 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=254722 -> KB2533623_amd64.MSU.
00:02.636: INFO:    Download for KB2731771 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=258387 -> KB2731771_amd64.CAB.
00:02.636: INFO:    Download for KB2786081 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=273751 -> KB2786081_amd64.CAB.
00:02.652: INFO:    Download for KB2888049 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=324542 -> KB2888049_amd64.MSU.
00:02.668: INFO:    Download for KB2882822 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=324541 -> KB2882822_amd64.MSU.

Error Source 3

KB2670838, Blurry Fonts Patch

KB2898202, Hotfix for Blurry Fonts Patch

If you take a closer look at the patches in KB2847882 you will see that thy want to install the "blurry Fonts patch / KB2670838" which caused a lot of trouble a few months ago. On most WSUS this is denied. However the IE11 needs that Patch. Even worse if you UNINSTALL the Blurry Fonts patch IE will get uninstalled fully.

Solution is to install KB2670838 and then KB2898202 the HOTFIX.

• FIX: Font smoothing and antialiasing for some fonts do not occur after hotfix 2670838 is installed in Windows 7 Service Pack 1 or Windows Server 2008 R2

  http://support.microsoft.com/kb/2898202

Thanks to Karen HU from Pactera/china for pointing us in that direction.

https://social.technet.microsoft.com/Forums/de-DE/0bb37a16-f8a3-4648-897e-6a1a5986a437/not-wanted-fonts-patch-kb2670838-and-ieak11-silent-last-status?forum=ieitprocurrentver

Here is how a Failed Logfile will look for the IE11 Setup c:\windows\IE11_main.log

01:52.679: ERROR:   WMI query for Hotfixes timed out. Query string: 'Select HotFixID from Win32_QuickFixEngineering WHERE HotFixID="KB2729094"'  Error: 0x00040004 (262148).
01:52.711: INFO:    Download for KB2729094 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=258385 -> KB2729094_amd64.MSU.
01:52.726: INFO:    Waiting for 1 prerequisite downloads.
02:23.880: INFO:    Prerequisite download processes have completed. Starting Installation of 1 prerequisites.
02:23.880: ERROR:   Error downloading prerequisite file (KB2729094): 0x800b0109 (2148204809)
02:24.098: INFO:    PauseOrResumeAUThread: Successfully resumed Automatic Updates.
02:24.114: INFO:    Setup exit code: 0x00009C47 (40007) - Required updates failed to download.

Here is a list of Binaries:

Uninstall described with IE10 but also valid for IE11

----------

WMI Hotfixes to date 29.07.2015

During IE11 projects we have seen problems with some WMI and WUSA.EXE KB installations. It sometimes seems that the WMI provider

who offers that info hangs or is out of date. Even with some command to refresh it0s stuck. This is a list of Hotfixes we found in that direction

For Existing Windows 7 64BIT Deployments with SP1.

YES = Installs on W7 SP1 64BIT with all Updates from WSUS do date 29.07.2015

NO  = Does not install on same system

001 (YES)

https://support.microsoft.com/en-us/kb/2705357

2705357

Windows6.1-KB2705357-v2-x64.msu

002 (YES)

http://support.microsoft.com/kb/2692929

2692929

Windows6.1-KB2692929-x64.msu

003 (YES but choose 2617858)

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

http://support.microsoft.com/kb/2465990

2465990 > SUPERSEEDED > Replaced by > 2617858 (https://support.microsoft.com/en-us/kb/2617858)

2465990 > Windows6.1-KB2465990-v3-x64.msu (Older)

2617858 > Windows6.1-KB2617858-x64.msu (Newer, Superseeds the old one)

004 (YES)

https://support.microsoft.com/en-us/kb/2492536

2492536

Windows6.1-KB2492536-x64.msu

005 (NO)

https://support.microsoft.com/en-us/kb/982293

982293

Windows6.1-KB982293-x64.msu

Check this LINK:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

If you Deploy Windows 7 you may consult the folder Path: BOOT:\windows\panther for any problems. (Use SHIFT F10 to get Console). This may help finding errors or helping with the integration of NIC and mass storage drivers which may need to get integrated to support newer model of hardware.

When the Windows PE phase of Windows Setup is running, you can break into a command prompt window running under Local System context by pressing SHIFT+F10.

C:\windows\panther\UnattendGC\Setupact.txt

Here you can diag the DOMAIN JOIN and with which account or which OU this was planned .

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: Begin

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: Loading input parameters...

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: AccountData = [NULL]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: UnsecureJoin = [NULL]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: MachinePassword = [secret not logged]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: JoinDomain = [CUST]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: JoinWorkgroup = [NULL]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: Domain = [CUST]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: Username = [delegate_admin]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: Password = [secret not logged]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: MachineObjectOU = [OU= l,OU=CUST,DC=CUST,DC=ch]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: DebugJoin = [NULL]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: DebugJoinOnlyOnThisError = [NULL]

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: Checking that auto start services have started.

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: Joining domain [CUST]...

2013-05-14 10:46:30, Info[DJOIN.EXE] Unattended Join: Calling DsGetDcName for CUST...

2013-05-14 10:46:31, Info[DJOIN.EXE] Unattended Join: DsGetDcName returned [CUSTDCW1]

2013-05-14 10:46:31, Info[DJOIN.EXE] Unattended Join: Constructed domain parameter [CUST\CUSTDCW1]

2013-05-14 10:46:32, Info[DJOIN.EXE] Unattended Join: NetJoinDomain succeeded!

2013-05-14 10:46:32, Info[DJOIN.EXE] Unattended Join: Exit, returning 0x1

C:\Windows\Panther\setupact.log

You can identify from where Windows 7 was installed and with what PE version.

2013-05-14 10:20:39, Info IBS InstallWindows:Successfully loaded resource language [de-DE]

2013-05-14 10:20:39, Info [0x0601c1] IBS InstallWindows:Install Path = W:\W7SP1ENT64.GER\sources

2013-05-14 10:20:39, Info [0x0601c2] IBS InstallWindows:Setup Phase = 2

2013-05-14 10:20:39, Info [0x0601e9] IBS CheckWinPEVersion:Compatible WinPE Version 6.1.7600 sp 0.0

2013-05-14 10:20:39, Info [0x0601c9] IBS InstallWindows:Starting a new install from WinPE

2013-05-14 10:20:39, Info IBS InstallWindows: Setup working directory = X:\windows\panther

2013-05-14 10:20:39, Info [0x0601ce] IBS Setup has started phase 2 at 2013-05-14 10:20:39

2013-05-14 10:20:39, Info [0x0601cf] IBS Install source is W:\W7SP1ENT64.GER\sources

2013-05-14 10:20:39, Info [0x0601d0] IBS Build version is 6.1.7601.17514 (win7sp1_rtm.101119-1850)

See if network is FROM within the Windows PE is running

2013-05-14 10:20:42, Info IBS STATUS: SUCCESS (0x00000001)

2013-05-14 10:20:42, Info IBS ==== Initializing Network Access and Applying Configuration ====

2013-05-14 10:20:42, Info IBS Found an smb connection.

2013-05-14 10:20:42, Info IBS Networking is currently in use and will not be restarted.

Check if the Windows PE gets a DHCP address (Maybe 802.X in place to protect unwanted network access)

2013-05-14 10:20:42, Info IBS QueryAdapterStatus: found operational adapter with DHCP address assigned.

2013-05-14 10:20:42, Info IBS Spent 0ms confirming network initialization; status 0x00000000

Find out where Windows PE searches for PNP drivers during setup

PnPIBS: Checking for pre-configured driver directory C:\$WinPEDriver$.

2013-05-14 10:20:43, Info PnPIBS: Checking for pre-configured driver directory E:\$WinPEDriver$.

2013-05-14 10:20:43, Info PnPIBS: Checking for pre-configured driver directory F:\$WinPEDriver$.

2013-05-14 10:20:43, Info PnPIBS: Checking for pre-configured driver directory G:\$WinPEDriver$.

2013-05-14 10:20:43, Info PnPIBS: Checking for pre-configured driver directory H:\$WinPEDriver$.

2013-05-14 10:20:43, Info PnPIBS: Checking for pre-configured driver directory I:\$WinPEDriver$.

2013-05-14 10:20:43, Info PnPIBS: Checking for pre-configured driver directory J:\$WinPEDriver$.

2013-05-14 10:20:43, Info PnPIBS: Checking for pre-configured driver directory W:\$WinPEDriver$.

2013-05-14 10:20:43, Info PnPIBS: Checking for pre-configured driver directory X:\$WinPEDriver$.

You can also retrieve and diag a lot of Driver related info from the same file.

\VEN_8086&DEV_0152&SUBSYS_339A103C&REV_09\3&11583659&0&10

2013-05-14 10:43:39, Info SYSPRP SPPNP: {Retrieving drivers used by device PCI\VEN_8086&DEV_1E3A&SUBSYS_339A103C&REV_04\3&11583659&0&B0}

2013-05-14 10:43:39, Info SYSPRP SPPNP: The device setup class for device PCI\VEN_8086&DEV_1E3A&SUBSYS_339A103C&REV_04\3&11583659&0&B0 is 4d36e97d-

Detailed Disk Info and Partition info and if hardware is compatible

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: Compat ID [PCI\CC_010601]

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: Compat ID [PCI\CC_0106]

2013-05-14 10:20:50, Info IBS IsDeviceIDPresent:Found device ID [PCI\CC_010601] in hwcompat list

2013-05-14 10:20:50, Info IBS IsDeviceSupported:Device [Serial ATA Controller] is supported

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: H/w ID [ACPI\PNP0A08]

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: H/w ID [*PNP0A08]

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: Compat ID [*PNP0A03]

2013-05-14 10:20:50, Info IBS IsDeviceIDPresent:Found device ID [*PNP0A03] in hwcompat list

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: H/w ID [IDE\DiskST500DM002-1BD142_______________________HP73____]

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: H/w ID [IDE\ST500DM002-1BD142_______________________HP73____]

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: H/w ID [IDE\DiskST500DM002-1BD142_______________________]

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: H/w ID [ST500DM002-1BD142_______________________HP73____]

2013-05-14 10:20:50, Info IBS DumpDeviceIDs: H/w ID [GenDisk]

2013-05-14 10:20:50, Info [0x0606cc] IBS GetDisk: Querying VDS providers...

2013-05-14 10:20:50, Info [0x0606cc] IBS GetDisk: Finished querying VDS providers.

2013-05-14 10:20:50, Info [0x0606cc] IBS CreatePartition: Need to decide the type of the partition to create

2013-05-14 10:20:50, Info [0x0606cc] IBS ResolvePartitionTypeToCreate: <DiskConfiguration>: disk 0 already has 1 allocated partitions

2013-05-14 10:20:50, Info [0x0606cc] IBS GetDisk: Querying VDS providers...

2013-05-14 10:20:50, Info [0x0606cc] IBS GetDisk: Finished querying VDS providers.

2013-05-14 10:20:50, Info [0x0606cc] IBS FindFreeExtent: Trying to find extent matching these criteria (byte offset of 0 implies no offset preference): [WithinContainer = False] [Size >= 0x0 bytes] [Byte offset = 0x0]

2013-05-14 10:20:50, Info [0x0606cc] IBS FindFreeExtent: Found suitable extent: [WithinContainer = False], [Byte size of found extent = 0x745de06000], [Byte offset of found extent = 0x12d00000], [Return size of found extent = 0x745de06000], [Return offset of found extent = 0x12d00000].

2013-05-14 10:20:50, Info [0x0606cc] IBS CreatePartition: Requesting creation of partition with { offset = [0x12d00000], size [0x745de06000] }

2013-05-14 10:20:50, Info [0x0606cc] IBS CreatePartition: Successfully created partition on disk 0 at {offset = [315621376], size = [499791192064]}

C:\Windows\Panther\unattend.xml

This file reflects the parameters that the unattended setup has received to work with.

C:\windows\panther\DDACL.Sys

Is an interesting file for handling removable drives or even network drives in Logons cripts. You can easy see which drives are fixed and removable.

05/14 10:46:04    Info    

05/14 10:46:04    Info    Volume name is \\?\Volume{4ac6db0f-bc72-11e2-8074-806e6f6e6963}\

05/14 10:46:04    Info    Mount Point are :

05/14 10:46:04    Info    

05/14 10:46:04    Info    Volume is Fixed Drive

05/14 10:46:04    Info    Volume is ntfs

05/14 10:46:04    Info    Volume is system

05/14 10:46:04    Info    

05/14 10:46:04    Info    Volume name is \\?\Volume{4ac6db10-bc72-11e2-8074-806e6f6e6963}\

05/14 10:46:04    Info    Mount Point are :

05/14 10:46:04    Info    C:\    

05/14 10:46:04    Info    Volume is Fixed Drive

05/14 10:46:04    Info    Volume is ntfs

05/14 10:46:04    Info    Volume is not system

05/14 10:46:04    Info    Volume \\?\Volume{4ac6db10-bc72-11e2-8074-806e6f6e6963}\ has other OS 1

05/14 10:46:04    Info    

05/14 10:46:04    Info    Volume name is \\?\Volume{4ac6db24-bc72-11e2-8074-806e6f6e6963}\

05/14 10:46:04    Info    Mount Point are :

05/14 10:46:04    Info    E:\    

05/14 10:46:04    Info    Volume is Removable Drive

05/14 10:46:04    Info    

05/14 10:46:04    Info    Volume is Removable Drive

Here is the correct syntax and a working example under Windows PE 3.X 32BIT boot media:

Biosconfigutlity.exe /cspwd:"youroldbiospassword" /cspws:"yournewbiospassword"

And an example to renew the existing BIOS password and write new BIOS Setting in one command:

BiosConfigUtility.exe /cspwd:"youroldbiospassword" /nspwd:"yournewbiospassword" /set:"%cd:~0,3%bios\6300\settings\6300.txt"

• %cd:~0,3% = Current Drive letter your batch is on
• bios\6300\settings\6300.txt (The config file with the new bios settings in some file Directory structure bios\modelltype\settings\modelltypeconfigfile.txt (Just an example)
• Yes, you have to mention the "-chars (Quotation marks)
•  "IF" you provider a existing password (cspwd), AND it does not match, it will be overseen and the NEW password written (cspws)
• The exact syntax and ORDER of the options have to be followed

Make sure you don't mess UP with this tool. On certain newer laptops if you mess UP the BIOS password you "Can't" reset it with a jumper. There are two way (Send device to HP or buy a unlock key from russia for USD50). A cutomer from us has tried and did not understand the tool correct.

 If you don't want plain text passwords in your scripts you may have to use "HPQPswd.exe" which makes a password.BIN file from your entrys with the password encrypted.

1. Download IE10 for Windows 7, http://windows.microsoft.com/en-us/internet-explorer/downloads/ie-10/worldwide-languages
2. Block IE10 on all system which are NOT connected to Windows Update Server WSUS, http://www.microsoft.com/en-us/download/details.aspx?id=36512

    

Notes in German from the field:

1. Kommt nicht automatisch WENN WSUS Anbindung vorhanden
2. Kommt automatisch bei allen kleinen Kunden die KEIN WSUS haben da gestuft als "important Update"

Toolkit to Disable Automatic Delivery of Internet Explorer 10

http://www.microsoft.com/en-us/download/details.aspx?id=36512

• For computers running Windows 7 or Windows Server 2008 R2, the Blocker Toolkit prevents the machine from receiving Internet Explorer 10 via Automatic Updates on the Windows Update and Microsoft Update sites.
• The Blocker Toolkit will not prevent users from manually installing Internet Explorer 10 from the Microsoft Download Center, or from external media.
• Organizations do not need to deploy the Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or Systems Management Server 2003. Organizations can use those products to fully manage deployment of updates released through Windows Update and Microsoft Update, including Internet Explorer 10, within their environment.
• Even if you used the Blocker Toolkit to block Internet Explorer 8 or Internet Explorer 9 from being installed as a high-priority or important update, you will still need to use the Internet Explorer 10 version of the Blocker Toolkit to block Internet Explorer 10 from being installed. There are different registry keys used to block or unblock automatic delivery of Internet Explorer 8, Internet Explorer 9 and Internet Explorer 10.

Files within the EXE

HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0\

DoNotAllowIE10 =1

Toolkit to Disable Automatic Delivery of Internet Explorer 10

Overview

To help our customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 10 as a high-priority update through Automatic Updates for Windows 7 Service Pack 1 (SP1) x86 and x64, and Windows Server 2008 R2 SP1 x64. This Blocker Toolkit is intended for organizations that would like to block automatic delivery of Internet Explorer 10 to machines in environments where Automatic Updates is enabled. The Blocker Toolkit will not expire.

• For computers running Windows 7 or Windows Server 2008 R2, the Blocker Toolkit prevents the machine from receiving Internet Explorer 10 via Automatic Updates on the Windows Update and Microsoft Update sites.
• The Blocker Toolkit will not prevent users from manually installing Internet Explorer 10 from the Microsoft Download Center, or from external media.
• Organizations do not need to deploy the Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or Systems Management Server 2003. Organizations can use those products to fully manage deployment of updates released through Windows Update and Microsoft Update, including Internet Explorer 10, within their environment.
• If you used the Blocker Toolkit to block Internet Explorer 9 from being installed as a high-priority update, you need to use the Internet Explorer 10 version of the Blocker Toolkit to block Internet Explorer 10 from being installed. There are different registry keys used to block or unblock automatic delivery of Internet Explorer 9 and Internet Explorer 10.

Toolkit Components

This toolkit contains two components:

• An executable blocker script
• A Group Policy Administrative Template (.ADM file)

Supported Operating Systems

Windows 7 Service Pack 1 (SP1) x86 and x64 and Windows Server 2008 R2 SP1 x64 

Blocker Script

The script creates a registry key and sets the associated value to block or unblock (depending on the command-line option used) automatic delivery of Internet Explorer 10 on either the local machine or a remote target machine.

Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0

Key value name: DoNotAllowIE10

The script has the following command-line syntax:

IE10_Blocker.cmd [<machine name>] [/B] [/U] [/H]

Machine Name

The <machine name> parameter is optional. If not specified, the action is performed on the local machine. Otherwise, the remote machine is accessed through the remote registry capabilities of the REG command. If the remote registry can't be accessed due to security permissions or the remote machine can't be found, an error message is returned from the REG command.

Switches

Switches used by the script are mutually exclusive and only the first valid switch from a given command is acted on. The script can be run multiple times on the same machine.

Group Policy Administrative Template (.ADM file)

The Group Policy Administrative Template (.ADM file) allows administrators to import the new Group Policy settings to block or unblock automatic delivery of Internet Explorer 10 into their Group Policy environment, and use Group Policy to centrally execute the action across systems in their environment.

Users running Windows 7 (SP1) or Windows Server 2008 R2 (SP1) will see the policy under Computer Configuration / Administrative Templates / Classic Administrative Templates / Windows Components / Windows Update / Automatic Updates Blockers v3. This setting is available only as a Computer setting; there is no Per-User setting.

Note: This registry setting is not stored in a policies key and is thus considered a preference. Therefore if the Group Policy Object that implements the setting is ever removed or the policy is set to Not Configured, the setting will remain. To unblock distribution of Internet Explorer 10 by using Group Policy, set the policy to Disabled.

DSM 7.2 ab 6. Dezember 2012

Das ist neu in der Version 7.2: 

- Windows 8 Support (Ich nehme an 2012 auch)

- Windows PE 4.0 Support

- OS Set THIN PC Windows 7 fuer Citrix Jump Hosts (TS-Bastlestunde reloaded ;-)

- Enterprise Load Balancing wohl in Verbindung mit Hardware Load Balancer (Single Web Server mit SOAP war wohl schwachpunkt bei Enterprise)

- Endlich Neue Message BOX Ex. (Ich vermute Frank Sei Dank) der in WIN7 und WIN8 Metro geht > Mit Abfangen JA/NEIN und Cancel fix eingebaut > Super!

- Service Installer (Dialoge fuer Enduser - Muss nicht mehr Autoinstaller sein - Hallo user ich muss rebooten laufe aber als Service, Ok?) > Super!

- Variablen Export (Test Umgebung in Produktiv)

- Default Support Plattform (Nicht bei jedem neuen Package OS wählen)

- Version und Patch Status in INFO GUI (Wow! ein Meisterwerkt von Coder, 5 Zeilen Code in C#)

- UNPIN to Taskbar (Startmenu unklar) Wie die Citrix (Win7 alike) oder UNPIN.VBS Skripts vor allem von Interesse fuer Windows 7 Migrationen

In Allem Super news und endlich Kunden Wünsche sauber integriert.

Leider immer noch keine Anfrage fuer Locked System oder Screensaver > Schade ;-)